2533 строки
108 KiB
JSON
2533 строки
108 KiB
JSON
{
|
|
"version": "Notebook/1.0",
|
|
"items": [
|
|
{
|
|
"type": 11,
|
|
"content": {
|
|
"version": "LinkItem/1.0",
|
|
"style": "tabs",
|
|
"links": [
|
|
{
|
|
"id": "45805ae8-29d7-4774-a10a-8d60af407bbf",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Overview",
|
|
"subTarget": "overview",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "a4b35478-499a-4fcc-8424-63abbb698bfa",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "AI Analyst",
|
|
"subTarget": "ai-analyst",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "2eac3f00-5164-4a77-9781-118eb681b729",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Antigena Response",
|
|
"subTarget": "agn",
|
|
"style": "link"
|
|
},
|
|
{
|
|
"id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c",
|
|
"cellValue": "tab",
|
|
"linkTarget": "parameter",
|
|
"linkLabel": "Cloud",
|
|
"subTarget": "cloud",
|
|
"style": "link"
|
|
}
|
|
]
|
|
},
|
|
"name": "tabs"
|
|
},
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "96e10804-35d4-4d5c-b2d8-1af544471721",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "Timeframe",
|
|
"type": 4,
|
|
"description": "Pick the timerange for all queries in the graph ",
|
|
"isRequired": true,
|
|
"value": {
|
|
"durationMs": 604800000
|
|
},
|
|
"typeSettings": {
|
|
"selectableValues": [
|
|
{
|
|
"durationMs": 300000
|
|
},
|
|
{
|
|
"durationMs": 900000
|
|
},
|
|
{
|
|
"durationMs": 1800000
|
|
},
|
|
{
|
|
"durationMs": 3600000
|
|
},
|
|
{
|
|
"durationMs": 14400000
|
|
},
|
|
{
|
|
"durationMs": 43200000
|
|
},
|
|
{
|
|
"durationMs": 86400000
|
|
},
|
|
{
|
|
"durationMs": 172800000
|
|
},
|
|
{
|
|
"durationMs": 259200000
|
|
},
|
|
{
|
|
"durationMs": 604800000
|
|
},
|
|
{
|
|
"durationMs": 1209600000
|
|
},
|
|
{
|
|
"durationMs": 2419200000
|
|
},
|
|
{
|
|
"durationMs": 2592000000
|
|
},
|
|
{
|
|
"durationMs": 5184000000
|
|
},
|
|
{
|
|
"durationMs": 7776000000
|
|
}
|
|
]
|
|
},
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"doNotRunWhenHidden": true,
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "Timescale "
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "_severity",
|
|
"type": 1,
|
|
"description": "parameter to drill down on clicked severity tile",
|
|
"value": "hidden",
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"label": "severity"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n CommonSecurityLog\r\n | where DeviceVendor == \"Darktrace\" and Activity !contains (\"saas\")\r\n | extend status = case( \r\n toint(LogSeverity) > 6, \"Critical\",\r\n toint(LogSeverity) < 3, \"Low\",\r\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \"High\",\r\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \"Medium\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
|
|
"size": 3,
|
|
"title": "Model Breaches By Severity",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"exportFieldName": "status",
|
|
"exportParameterName": "_severity",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "status",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Critical",
|
|
"representation": "red",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": true,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"name": "model breaches by severity"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "_Click on the tiles to view more details (maximum 100 entries displayed)_",
|
|
"style": "info"
|
|
},
|
|
"name": "text - 3"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//low severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"Enterprise Immune System\" and Activity !contains (\"saas\")\r\n| where toint(LogSeverity) < 3\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Low Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OtherExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "50%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "Low"
|
|
},
|
|
"name": "Low severity model breaches"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//medium severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"Enterprise Immune System\" and Activity !contains (\"saas\")\r\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Medium Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OtherExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "50%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "Medium"
|
|
},
|
|
"name": "Medium severity model breaches "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//high severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"Enterprise Immune System\" and Activity !contains (\"saas\")\r\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "High Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AdditionalExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "70%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "High"
|
|
},
|
|
"name": "High severity model breaches "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//critical severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"Enterprise Immune System\" and Activity !contains (\"saas\")\r\n| where toint(LogSeverity) >6\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Critical Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "red",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AdditionalExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "70%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "Critical"
|
|
},
|
|
"name": "Critical severity model breaches"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "hidden"
|
|
},
|
|
"name": "Drill down group for different severities"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity !contains (\"saas\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
|
|
"size": 3,
|
|
"title": "Model Breaches Over Time ",
|
|
"color": "orange",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"timeBrushParameterName": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"chartSettings": {
|
|
"showMetrics": false
|
|
}
|
|
},
|
|
"name": "breaches in group"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
|
|
"style": "info"
|
|
},
|
|
"name": "text - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity !contains (\"saas\")\r\n| summarize event_count=count() by Activity \r\n| where Activity!=\"System/System\" \r\n| top 10 by event_count",
|
|
"size": 0,
|
|
"title": "Top 10 Most Breached Models",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "60ch"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "event_count",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "event_count",
|
|
"label": "Count"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"customWidth": "55",
|
|
"name": "most breached models"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "\r\nCommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity !contains (\"saas\")\r\n| where isnotempty(DestinationHostName) \r\n| summarize count(Activity) by DestinationHostName",
|
|
"size": 3,
|
|
"title": "Top External Hostnames",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "piechart"
|
|
},
|
|
"customWidth": "45",
|
|
"name": "top external hostnames"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity !contains (\"saas\")\r\n| where isnotempty(DeviceName) \r\n| where DeviceName !contains(\"#\")\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| extend Severity = toint(LogSeverity)\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\r\n| top 10 by toint(Severity) desc ",
|
|
"size": 0,
|
|
"title": "Top 10 Devices By Severity",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 1,
|
|
"max": 10,
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "Severity"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"name": "Top 10 hitting devices"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity !contains (\"saas\")\r\n| where isnotempty(DeviceName) \r\n| where DeviceName contains '#'\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| top 10 by toint(LogSeverity) desc \r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL",
|
|
"size": 0,
|
|
"title": "Top 10 C-Sensor activities",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 1,
|
|
"max": 10,
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "c-sensor top 10"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog | where DeviceVendor == \"Darktrace\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \"10\"| where DestinationIP !startswith \"192\"| where DestinationIP !startswith \"172\"| summarize event_count=count() by DestinationIP | top 10 by event_count",
|
|
"size": 0,
|
|
"title": "Top 10 External IPs",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "barchart"
|
|
},
|
|
"customWidth": "80",
|
|
"name": "top 10 external IPs"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog | where DeviceVendor == \"Darktrace\" \r\n| where Activity contains \"Compliance\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
|
|
"size": 0,
|
|
"title": "Compliance Breaches Over Time",
|
|
"color": "orange",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"chartSettings": {
|
|
"showMetrics": false
|
|
}
|
|
},
|
|
"name": "compliance breaches over time"
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "overview"
|
|
},
|
|
"name": "overview"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "_severity",
|
|
"type": 1,
|
|
"description": "parameter to drill down on clicked severity tile",
|
|
"value": "hidden",
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"label": "severity"
|
|
}
|
|
],
|
|
"style": "above",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "parameters - 1"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n CommonSecurityLog\r\n | where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n | extend status = case( \r\n toint(LogSeverity) > 6, \"Critical\",\r\n toint(LogSeverity) < 3, \"Low\",\r\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \"High\",\r\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \"Medium\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
|
|
"size": 3,
|
|
"title": "Model Breaches By Severity",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"exportFieldName": "status",
|
|
"exportParameterName": "_severity",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "status",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Critical",
|
|
"representation": "red",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "green",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Count",
|
|
"formatter": 1,
|
|
"numberFormat": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": false,
|
|
"maximumFractionDigits": 2,
|
|
"maximumSignificantDigits": 3
|
|
}
|
|
}
|
|
},
|
|
"showBorder": true,
|
|
"size": "auto"
|
|
}
|
|
},
|
|
"name": "model breaches by severity"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "_Click on the tiles to view more details (maximum 100 entries displayed)_",
|
|
"style": "info"
|
|
},
|
|
"name": "text - 3"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//low severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"Enterprise Immune System\" and Activity contains \"saas\"\r\n| where toint(LogSeverity) < 3\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Low Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "yellow",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OtherExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "50%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "Low"
|
|
},
|
|
"name": "Low severity model breaches"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//medium severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"Enterprise Immune System\" and Activity contains \"saas\"\r\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "Medium Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "orange",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "OtherExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "50%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "Medium"
|
|
},
|
|
"name": "Medium severity model breaches "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//high severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\r\n| sort by TimeGenerated desc",
|
|
"size": 0,
|
|
"title": "High Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "redBright",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AdditionalExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "70%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "High"
|
|
},
|
|
"name": "High severity model breaches "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "//critical severity\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n| where toint(LogSeverity) >6\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| parse AdditionalExtensions with * \"long=\" Longitude \";\" null\r\n| parse AdditionalExtensions with * \"lat=\" Latitude \";\" null\r\n| extend Severity = toint(LogSeverity)\r\n| limit 100\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\r\n| sort by Severity desc",
|
|
"size": 0,
|
|
"title": "Critical Severity Model Breaches",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": ">",
|
|
"thresholdValue": "0",
|
|
"representation": "red",
|
|
"text": "{0}{1}"
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": "{0}{1}"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 1,
|
|
"max": 10,
|
|
"palette": "greenRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceUrl",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "AdditionalExtensions",
|
|
"formatter": 5,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "70%"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isEqualTo",
|
|
"value": "Critical"
|
|
},
|
|
"name": "Critical severity model breaches"
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "_severity",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "hidden"
|
|
},
|
|
"name": "Drill down group for different severities"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
|
|
"size": 3,
|
|
"title": "SaaS User Breaches Over Time ",
|
|
"color": "orange",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"timeBrushParameterName": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"chartSettings": {
|
|
"showMetrics": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "saas user graph / time ",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"iaas\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
|
|
"size": 3,
|
|
"title": "IaaS User Breaches Over Time ",
|
|
"color": "orange",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"timeBrushParameterName": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"chartSettings": {
|
|
"showMetrics": false
|
|
}
|
|
},
|
|
"customWidth": "50",
|
|
"name": "iaas user graph / time",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
|
|
"style": "info"
|
|
},
|
|
"name": "text - 11"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n| summarize event_count=count() by Activity, DeviceName\r\n| where Activity!=\"System/System\" \r\n| top 10 by event_count\r\n| project DeviceName, Activity, event_count",
|
|
"size": 0,
|
|
"title": "Top 10 Most Breached SaaS Users",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "60ch"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "event_count",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "orange"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device"
|
|
},
|
|
{
|
|
"columnId": "event_count",
|
|
"label": "Count"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "most breached SaaS users"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n| where isnotempty(DeviceName) \r\n| where DeviceName !contains(\"#\")\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| extend Severity = toint(LogSeverity)\r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\r\n| top 10 by toint(Severity) desc ",
|
|
"size": 0,
|
|
"title": "Top 10 SaaS Devices By Severity",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "table",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Severity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 1,
|
|
"max": 10,
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "Severity"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": []
|
|
},
|
|
"name": "Top 10 hitting SaaS devices"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"saas\"\r\n| where isnotempty(DeviceName) \r\n| where DeviceName contains '#'\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| top 10 by toint(LogSeverity) desc \r\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL",
|
|
"size": 0,
|
|
"title": "Top 10 C-Sensor SaaS activities",
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
},
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "40%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 1,
|
|
"max": 10,
|
|
"palette": "yellowOrangeRed"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "c-sensor top 10 saas"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog | where DeviceVendor == \"Darktrace\" \r\n| where Activity contains \"Compliance\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
|
|
"size": 0,
|
|
"title": "Compliance Breaches Over Time",
|
|
"color": "orange",
|
|
"timeContext": {
|
|
"durationMs": 604800000
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"chartSettings": {
|
|
"showMetrics": false
|
|
}
|
|
},
|
|
"name": "compliance breaches over time"
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "cloud"
|
|
},
|
|
"name": "Cloud group"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 9,
|
|
"content": {
|
|
"version": "KqlParameterItem/1.0",
|
|
"parameters": [
|
|
{
|
|
"id": "272e8563-290b-4ca9-822b-18ae680cf1e1",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "tripleDrillDown",
|
|
"type": 1,
|
|
"description": "toggles drilldown ",
|
|
"value": "false",
|
|
"isHiddenWhenLocked": true,
|
|
"timeContext": {
|
|
"durationMs": 86400000
|
|
}
|
|
},
|
|
{
|
|
"id": "57ae0969-b409-47e6-85a2-7b3c6895bb60",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "groupingID",
|
|
"type": 1,
|
|
"value": "false",
|
|
"isHiddenWhenLocked": true
|
|
},
|
|
{
|
|
"id": "d44afad0-d6fa-433d-98a1-504ce53c5215",
|
|
"version": "KqlParameterItem/1.0",
|
|
"name": "groupByActivity",
|
|
"type": 1,
|
|
"value": "false",
|
|
"isHiddenWhenLocked": true
|
|
}
|
|
],
|
|
"style": "pills",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces"
|
|
},
|
|
"name": "clicked triple drilldown "
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "let AIAnalystAlerts =\r\n CommonSecurityLog\r\n | where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n | extend status = case( \r\n toint(LogSeverity) > 6, \"Critical\",\r\n toint(LogSeverity) < 3, \"Low\",\r\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \"High\",\r\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \"Medium\", \r\n \"True\"\r\n )\r\n | sort by TimeGenerated asc;\r\nunion (\r\n AIAnalystAlerts\r\n | parse AdditionalExtensions with * \"groupByActivity=\" GroupByActivity \";\" null\r\n | where GroupByActivity == 0\r\n | parse AdditionalExtensions with * \"groupingId=\" GroupingID \";\" null\r\n | extend d = pack(\"Activity\", Activity, \"TimeGenerated\", TimeGenerated, \"status\", status, \"DeviceName\", DeviceName, \"DeviceAddress\", DeviceAddress, \"GroupByActivity\", GroupByActivity)\r\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \"\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\r\n | extend FirstActivity = list[0].Activity\r\n | extend SecondActivity = iff(FirstActivity != \"\" and list[1].Activity != \"\", strcat(\", \", list[1].Activity), \"\")\r\n | extend ThirdActivity = iff(FirstActivity != \"\" and SecondActivity != \"\" and list[2].Activity != \"\", strcat(\", \", list[2].Activity), \"\")\r\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \"\", \"...\", \"\"))\r\n | extend showGroupBy = GroupingID\r\n), (\r\n AIAnalystAlerts\r\n | parse AdditionalExtensions with * \"groupByActivity=\" GroupByActivity \";\" null\r\n | where GroupByActivity == 1\r\n | extend d = pack(\"Activity\", Activity, \"TimeGenerated\", TimeGenerated, \"status\", status, \"DeviceName\", DeviceName, \"DeviceAddress\", DeviceAddress, \"ActivityID\", DeviceEventClassID, \"GroupByActivity\", GroupByActivity)\r\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\r\n | extend FirstDevice = iff(list[0].DeviceName != \"\", list[0].DeviceName, list[0].DeviceAddress)\r\n | extend SecondDeviceName = iff(list[1].DeviceName != \"\", list[1].DeviceName, list[1].DeviceAddress)\r\n | extend SecondDevice = iff(FirstDevice != \"\" and SecondDeviceName != \"\", strcat(\", \", SecondDeviceName), \"\")\r\n | extend ThirdDeviceName = iff(list[2].DeviceName != \"\", list[2].DeviceName, list[2].DeviceAddress)\r\n | extend ThirdDevice = iff(FirstDevice != \"\" and SecondDevice != \"\" and ThirdDeviceName != \"\", strcat(\", \", ThirdDeviceName), \"\")\r\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \"\", \"...\", \"\"))\r\n | extend showGroupBy = DeviceEventClassID\r\n | extend showGroupByActivity = 1\r\n)\r\n| sort by TimeGenerated",
|
|
"size": 2,
|
|
"title": "AI Analyst Incidents",
|
|
"timeContext": {
|
|
"durationMs": 604800000,
|
|
"endTime": "2021-02-11T09:00:00.000Z"
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"exportedParameters": [
|
|
{
|
|
"fieldName": "showGroupByActivity",
|
|
"parameterName": "groupByActivity",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "showGroupBy",
|
|
"parameterName": "groupingID",
|
|
"parameterType": 1
|
|
},
|
|
{
|
|
"fieldName": "TimeGenerated",
|
|
"parameterName": "tripleDrillDown",
|
|
"parameterType": 1
|
|
}
|
|
],
|
|
"exportToExcelOptions": "all",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "url",
|
|
"formatter": 7,
|
|
"formatOptions": {
|
|
"linkTarget": "Url"
|
|
}
|
|
}
|
|
],
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "DeviceEventClassID",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "GroupingID",
|
|
"label": "Grouping ID "
|
|
},
|
|
{
|
|
"columnId": "GroupByActivity",
|
|
"label": "Group By Activity"
|
|
}
|
|
]
|
|
},
|
|
"sortBy": [
|
|
{
|
|
"itemKey": "DeviceEventClassID",
|
|
"sortOrder": 1
|
|
}
|
|
],
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "status",
|
|
"formatter": 18,
|
|
"formatOptions": {
|
|
"thresholdsOptions": "colors",
|
|
"thresholdsGrid": [
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Low",
|
|
"representation": "lightBlue",
|
|
"text": ""
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Medium",
|
|
"representation": "lightBlue",
|
|
"text": ""
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "High",
|
|
"representation": "blue",
|
|
"text": ""
|
|
},
|
|
{
|
|
"operator": "==",
|
|
"thresholdValue": "Critical",
|
|
"representation": "blue",
|
|
"text": ""
|
|
},
|
|
{
|
|
"operator": "Default",
|
|
"thresholdValue": null,
|
|
"representation": "blue",
|
|
"text": ""
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Left",
|
|
"formatter": 1
|
|
},
|
|
"rightContent": {
|
|
"columnMatch": "Right",
|
|
"formatter": 1
|
|
},
|
|
"showBorder": true,
|
|
"size": "full"
|
|
}
|
|
},
|
|
"name": "All Incidents"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "_ Click on an incident to see related incidents _",
|
|
"style": "info"
|
|
},
|
|
"name": "text - 5"
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"expandable": true,
|
|
"expanded": true,
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "(CommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n| parse AdditionalExtensions with * \"groupingId=\" GroupingID \";\" null\r\n| where DeviceEventClassID == '{groupingID}'\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\r\n| extend d = pack_array(id)\r\n| extend p = pack(\"GroupingID\", GroupingID)\r\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\r\n| extend ids = strcat_array(packed, ',')\r\n| project GroupingID = tostring(GroupingID), ids)\r\n| join (\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n| parse AdditionalExtensions with * \"groupingId=\" GroupingID \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| where DeviceEventClassID == '{groupingID}'\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\r\n| extend Device = iff(DeviceName != \"\", DeviceName, DeviceAddress)\r\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\r\n) on GroupingID\r\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)",
|
|
"size": 0,
|
|
"title": "Related Incidents",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "10%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "10%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Message",
|
|
"formatter": 0,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "30%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"max": 10,
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "GroupingID",
|
|
"formatter": 5
|
|
},
|
|
{
|
|
"columnMatch": "DeviceEventClassID",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Device",
|
|
"formatter": 1
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Message",
|
|
"formatter": 1
|
|
},
|
|
"showBorder": true,
|
|
"size": "full"
|
|
}
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "groupByActivity",
|
|
"comparison": "isEqualTo",
|
|
"value": "1"
|
|
},
|
|
"name": "3drilldownlate - Copy"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "(CommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n| parse AdditionalExtensions with * \"groupingId=\" GroupingID \";\" null\r\n| where GroupingID == '{groupingID}'\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\r\n| extend d = pack_array(id)\r\n| extend p = pack(\"GroupingID\", GroupingID)\r\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\r\n| extend ids = strcat_array(packed, ',')\r\n| project GroupingID = tostring(GroupingID), ids)\r\n| join (\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n| parse AdditionalExtensions with * \"groupingId=\" GroupingID \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message \";\" null\r\n| where GroupingID == '{groupingID}'\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\r\n| extend Device = iff(DeviceName != \"\", DeviceName, DeviceAddress)\r\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\r\n) on GroupingID\r\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)",
|
|
"size": 0,
|
|
"title": "Related Incidents",
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "17.5%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url",
|
|
"customColumnWidthSetting": "20%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceName",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "10%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DeviceAddress",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "10%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "Message",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"customColumnWidthSetting": "35%"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "LogSeverity",
|
|
"formatter": 8,
|
|
"formatOptions": {
|
|
"min": 0,
|
|
"max": 10,
|
|
"palette": "blue"
|
|
}
|
|
},
|
|
{
|
|
"columnMatch": "DarktraceURL",
|
|
"formatter": 5
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "TimeGenerated",
|
|
"label": "Time"
|
|
},
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "DeviceName",
|
|
"label": "Device Name"
|
|
},
|
|
{
|
|
"columnId": "DeviceAddress",
|
|
"label": "Device Address"
|
|
},
|
|
{
|
|
"columnId": "Message"
|
|
},
|
|
{
|
|
"columnId": "LogSeverity",
|
|
"label": "Severity"
|
|
},
|
|
{
|
|
"columnId": "DarktraceURL"
|
|
}
|
|
]
|
|
},
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "Activity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Device",
|
|
"formatter": 1
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "Message"
|
|
},
|
|
"showBorder": true,
|
|
"size": "full"
|
|
},
|
|
"mapSettings": {
|
|
"locInfo": "LatLong"
|
|
}
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "groupByActivity",
|
|
"comparison": "isEqualTo",
|
|
"value": "false"
|
|
},
|
|
{
|
|
"parameterName": "groupingID",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "false"
|
|
}
|
|
],
|
|
"name": "3drilldownlate"
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"conditionalVisibilities": [
|
|
{
|
|
"parameterName": "groupingID",
|
|
"comparison": "isNotEqualTo"
|
|
},
|
|
{
|
|
"parameterName": "tripleDrillDown",
|
|
"comparison": "isNotEqualTo",
|
|
"value": "false"
|
|
}
|
|
],
|
|
"name": "GROUP BY drilldown "
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"name": "triple drilldown"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
|
|
"size": 3,
|
|
"title": "AI Analyst Incidents Over Time",
|
|
"color": "lightBlue",
|
|
"timeContext": {
|
|
"durationMs": 604800000,
|
|
"endTime": "2021-02-11T09:00:00.000Z"
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"timeBrushParameterName": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "areachart",
|
|
"chartSettings": {
|
|
"showMetrics": false,
|
|
"ySettings": {
|
|
"numberFormatSettings": {
|
|
"unit": 17,
|
|
"options": {
|
|
"style": "decimal",
|
|
"useGrouping": true,
|
|
"minimumFractionDigits": 0,
|
|
"maximumFractionDigits": 0
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"name": "incidents in group"
|
|
},
|
|
{
|
|
"type": 1,
|
|
"content": {
|
|
"json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
|
|
"style": "info"
|
|
},
|
|
"name": "text - 6"
|
|
},
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Darktrace\" and DeviceProduct == \"AI Analyst\"\r\n| summarize event_count=count() by Activity \r\n| where Activity!=\"System/System\" \r\n| top 10 by event_count",
|
|
"size": 0,
|
|
"title": "Top 10 Most Frequent Incidents ",
|
|
"timeContext": {
|
|
"durationMs": 604800000,
|
|
"endTime": "2021-02-11T09:00:00.000Z"
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"gridSettings": {
|
|
"formatters": [
|
|
{
|
|
"columnMatch": "event_count",
|
|
"formatter": 3,
|
|
"formatOptions": {
|
|
"palette": "blue"
|
|
}
|
|
}
|
|
],
|
|
"labelSettings": [
|
|
{
|
|
"columnId": "Activity"
|
|
},
|
|
{
|
|
"columnId": "event_count",
|
|
"label": "Count"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"name": "Top 10 Most Frequent Incidents "
|
|
}
|
|
],
|
|
"exportParameters": true
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "ai-analyst"
|
|
},
|
|
"name": "ai- analyst group "
|
|
},
|
|
{
|
|
"type": 12,
|
|
"content": {
|
|
"version": "NotebookGroup/1.0",
|
|
"groupType": "editable",
|
|
"items": [
|
|
{
|
|
"type": 3,
|
|
"content": {
|
|
"version": "KqlItem/1.0",
|
|
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Darktrace\" and Activity contains \"Antigena\"\r\n| parse AdditionalExtensions with * \"groupByActivity=\" GroupByActivity \";\" null\r\n| parse AdditionalExtensions with * \"darktraceUrl=\" DarktraceURL \";\" null\r\n| parse AdditionalExtensions with * \"message=\" Message_s \";\" null\r\n| extend Device = iff(DeviceName != \"\", DeviceName, DeviceAddress)\r\n| extend agnActivity = split(Activity, \"/\")[2]\r\n| extend arr = split(Message_s,\"/\")\r\n| extend msgInfo = arr[(array_length(arr)-1)]",
|
|
"size": 3,
|
|
"timeContext": {
|
|
"durationMs": 0
|
|
},
|
|
"timeContextFromParameter": "Timeframe",
|
|
"queryType": 0,
|
|
"resourceType": "microsoft.operationalinsights/workspaces",
|
|
"visualization": "tiles",
|
|
"tileSettings": {
|
|
"titleContent": {
|
|
"columnMatch": "agnActivity",
|
|
"formatter": 1,
|
|
"formatOptions": {
|
|
"linkColumn": "DarktraceURL",
|
|
"linkTarget": "Url"
|
|
}
|
|
},
|
|
"subtitleContent": {
|
|
"columnMatch": "TimeGenerated",
|
|
"formatter": 6
|
|
},
|
|
"leftContent": {
|
|
"columnMatch": "Device"
|
|
},
|
|
"secondaryContent": {
|
|
"columnMatch": "msgInfo",
|
|
"formatter": 1
|
|
},
|
|
"showBorder": true,
|
|
"sortCriteriaField": "TimeGenerated",
|
|
"sortOrderField": 2,
|
|
"size": "full"
|
|
}
|
|
},
|
|
"name": "top level query "
|
|
}
|
|
]
|
|
},
|
|
"conditionalVisibility": {
|
|
"parameterName": "tab",
|
|
"comparison": "isEqualTo",
|
|
"value": "agn"
|
|
},
|
|
"name": "agn group",
|
|
"styleSettings": {
|
|
"showBorder": true
|
|
}
|
|
}
|
|
],
|
|
"fromTemplateId": "sentinel-AI Darktrace v1.0",
|
|
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
|
|
}
|